# Only use ipv4
AddressFamily inet

# Disable unsecure ssh tunnel forwarding
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
DisableForwarding yes
PermitTunnel no
X11Forwarding no

##### Authentication #####

# uncomment for publickey only authentication
#AuthenticationMethods publickey
#PasswordAuthentication no
#UsePAM no

# Needed for password authentication
UsePam yes

# Disable obsolete authentication methods
ChallengeResponseAuthentication no

# Prevent brute force attacks
MaxAuthTries 3
MaxSessions 2
PermitEmptyPasswords no

# Disable root ssh login
PermitRootLogin no

# Enable pubkey authentication
PubkeyAuthentication yes

##### Crypto #####

# Avoid use of weak algorithms
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

##### Network #####

# Prevent timeout
ClientAliveInterval 300
ClientAliveCountMax 2

# Prevent lateral traffic movement
IgnoreRhosts yes

# Disable buggy compression
Compression no

# Enforce use of SSHv2 protocol
Protocol 2

# Prevent reverse DNS lookup
UseDNS no

FingerprintHash SHA256
StrictModes yes
PrintLastLog yes
LogLevel VERBOSE
LoginGraceTime 120
PermitUserEnvironment no
GatewayPorts no
